Windows Internals for Reverse Engineers

Instructor:

Alex Ionescu

Dates:

12-15 June 2017

Capacity:

18 Seats ( SOLD OUT )

Price:

4200$ CAD before waiting-list, 5000$ CAD after.

Learn the internals of the Windows NT kernel architecture, including
Windows 10 “Threshold 2” and “Redstone 1”, as well as Server 2016, in order
to learn how rootkits, PLA implants, NSA backdoors, and other kernel-mode
malware exploit the various system functionalities, mechanisms and data
structures to do their dirty work. Also learn how kernel-mode code operates
and how it can be subject to attack from user-mode callers to elevate their
privileges. Finally, learn how CPU architecture deeply ties into OS design,
and how Intel, ARM and AMD’s mistakes can lead to more pwnage.

We’ll cover the new Windows 10 kernel changes, including the introduction
of Virtual Trust Levels to make pass-the-hash attacks virtually impossible,
Hypervisor-based Code Integrity to prevent code execution, even with Ring 0
vulnerabilities, as well as new mitigations such as Control Flow Guard
(CFG) to protect against exploitation.

Windows 10 builds upon many Windows 8.1 mechanisms such as Protected
Process Light and custom Code Signing Policies, so we’ll review this as
well, plus new Windows 8 kernel features (AppContainer, Secure Boot, and
more) relevant to driver operation and exploitation techniques will be
discussed, including an overview of over two dozen new security mitigations
that have been added to the operating system. We’ll see how these changes
to the architecture have dramatically constrained exploit techniques.
Windows 7 kernel changes will be discussed too, such as the new Object
Manager data structures.

All while learning the theory, you will use tools such as WinDBG,
SysInternals Tools and Process Hacker to analyze, poke, and prod
kernel-mode Windows components, as well as write your own debugger scripts
including the new NatVis/LINQ mode.

Throughout the class, we’ll focus on using various techniques and tools to
inspect the Windows kernel for consistency, tracing its operation, and
editing it, as well as ways in which offensive and defensive attackers can
mess with the system’s state in unexpected, “clean” ways. We’ll also take a
look at several examples of malicious and/or buggy drivers in a given
Windows system, as well as architectural bugs over Windows’ lifetime.

Attendees will receive a physical handout of the entire course materials
for future reference, plus a WinDBG Lab Cheat Sheet.

CLASS OUTLINE

Part 1: WinDBG Zero to Hero

You will be presented with many WinDBG/KD commands, as well as how to write
your own scripts. You’ll spend a good few hours learning WinDBG tricks that
will save you hours of time and effort, and turn your WinDBG-fu from white
belt to WinDBG sensei. You’ll also never call it “Win DEE BEE GEE” again.
For complete mastery, you’ll move on to learning about the new NatVis
Debugger Data Model, which includes support for LINQ, Anonymous Types,
Lambda Functions, and more.

Part 2: Windows OS and CPU Architecture

You’ll be exposed to low-level CPU details such as segmentation and task
gates, things you probably thought didn’t matter since 1986 anymore, but
which still drive core Windows architecture today. Never again will you
think [fs:18h] is a magic constant. Both x86 and x64 will be covered, and
you’ll also learn about how ARM does some of these things and how Windows
Mobile interacts with the ARM chip. A quick look at ARM64 will also make
the rounds. Security features such as SMEP and SGX will be par for the
course, and we’ll see the facilities that Windows provides to use them.
Finally, we’ll see how the hypervisor adds its own layer of security
mechanisms using Virtual Trust Levels and SLAT.

We’ll then move our focus toward understanding the behavior and operation
of the Windows Kernel. Core topics such as interrupts, DPCs, APCs, system
calls, timers, scheduling and memory management will be discussed at the
architectural level. You are expected to already be familiar with some of
these ideas – for example, on the topic of memory management, it is not
about how to use malloc, but rather about the complexities of and effects
of the algorithms used by Windows when managing pages.

You will learn the various data structures used by bookkeeping and internal
consistency and management of key system components such as the ALPC
subsystem that powers RPC, as well as core mechanisms and objects such as
threads, processes, and jobs, and how these fields can affect the operation
of the system in ways that malicious code can control.

You’ll learn about the Windows Memory Manager and its many bookkeeping data
structures both at the virtual memory and physical memory layer and how
they can both be used to identify hidden code at runtime, as well as used
forensically for gathering data about an attack. We’ll also cover shared
memory objects, and the dangers that lie within – including a few live
samples of bugs nobody cares to fix.

Finally, it’s not just all about the kernel! You’ll also discover how
Windows’ Subsystem Model affects the execution of code and abstraction of
various system components and we’ll take a look at the Windows Subsystem
specifically, and how past and present CSRSS vulnerabilities can be used to
escape sandboxes and attack the kernel. The Windows Subsystem extends its
claws into the kernel through the window manager (Win32k.sys) and its data
structures and behaviors will also be in the purview of our class. We will
be using deprecated and unsupported debugger extensions to peer into
aspects of Win32k.sys that few have looked at before – except those that
find new kernel vulnerabilities in it by the minute.

Finally, we will take a look at certain examples of plain C code that
contain well-known bugs, as well as certain harder-to-spot bugs within the
specific context of running in a Windows kernel environment.

CLASS REQUIREMENTS

Prerequisites

IMPORTANT: It’s helpful to understand x86/x64/ARM assembly to take this
course, but knowledge of obfuscation, packing, etc., is not required.

Basic knowledge of Windows, processor architecture, and operating systems
is helpful – you should have some vague idea of what an interrupt is, and
what is the difference between user and kernel mode (ring levels), a bit
about virtual memory/paging, etc.

Minimum Software to Install

You must have a Windows machine to attend, and you should have the Windows
Driver Kit 10 release for Threshold 2 or later (10586 / 1511), which you
can freely grab from the Windows Hardware Portal or MSDN.

A virtual machine (VirtualBox is strongly preferred – configured in EFI +
Hyper-V mode for best performance) is recommended with an installed version
of Windows 10. Locally, any version of Windows 7 or Windows 8, 32-bit or
64-bit is fine – you may prefer 32-bit if that is the disassembly you are
most familiar with and/or want to use Hexrays. You should install the
Windows Driver Kit on your host – not the VM. If you have a Linux or Mac
device, then you may either install the Windows Driver Kit on the VM
itself, or, better yet, use two separate virtual machines.

The instructor will use a 64-bit Windows 10 device, with Windows 8.1 and
Windows 7 32-bit VMs.

IDA/Hexrays helpful, but not required.

BIO

Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a
world-class security architect and consultant expert in low-level system
software, kernel development, security training, and reverse engineering.
He is coauthor of the last two editions of the Windows Internals series,
along with Mark Russinovich and David Solomon. His work has led to the
fixing of many critical kernel vulnerabilities, as well as over a few dozen
non-security bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open source
Windows clone written from scratch, for which he wrote most of the Windows
NT-based subsystems. During his studies in Computer Science, Alex worked at
Apple on the iOS kernel, boot loader, and drivers on the original core
platform team behind the iPhone, iPad and AppleTV. Alex is also the founder
of Winsider Seminars & Solutions Inc., a company that specializes in low-
level system software, reverse engineering and security trainings for
various institutions. In the last three years, he has also contributed to
patches and development in two major commercially used operating system
kernels.